Closed
Bug 789021
Opened 12 years ago
Closed 3 years ago
Sync doesn't use the certificates from the Android system certificate store on 4.0.4 on some devices
Categories
(Firefox for Android Graveyard :: Android Sync, defect, P5)
Firefox for Android Graveyard
Android Sync
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: mozilla.attic, Unassigned)
References
Details
(Whiteboard: [sync:scale])
Attachments
(1 file)
|
10.29 KB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0
Build ID: 20120824154833
Steps to reproduce:
I'm using a private weave sync server which works fine with several desktop Firefoxes and two Android Firefoxes. It doesn't work on my third Android device (without visible failure message), throwing an "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate" exception in the log (despite the correct certificate authority is installed in the Android system certificate store).
The Firefox on the Android devices is always Firefox 15.0 from Google Play.
Actual results:
In detail: There are two cases: The "works fine" case and the "broken" case.
The "works fine" case: On my Motorola Razr (stock rom, 4.0.4/api 15) the necessary certificate authority is stored in the Android system certificate store and everything works fine as expected. See the attached trazr-cert_nobug.alogcat in the .zip file. However, there is an exception in the log (see line 767) which I can't account for. Synchronization also work fine on my Google Nexus 7 tablet (stock rom, 4.1, same setup as before).
The "broken" case: On my Lenovo A1 (7" tablet, now lenovo beta rom 4.0.4/api 15, but the same under lenovo stock rom 2.3.6) the necessary certificate authority is stored in the Android system certificate store (like before ), but the synchronization doesn't happen (no failure message, but no synchronization). The log shows an exception "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate", see attached tla1-cert_bug.alogcat in the .zip file, line 61.
As mentioned before, this is always Firefox 15.0 from Google Play and happens more or less independent from the rom used on the Lenovo A1 (in fact I only upgraded to the 4.0.4 beta rom in order to fix this bug, i.e. getting synchronization back). Synchronization was working with older Firefox versions (before 14 I think).
Expected results:
The sync service on the Lenovo A1 ("broken case") should have used the certificate authority in the Android system certificate store to validate the the SSL certificate from the weave server - as it does on the Motorola Razr and the Google Nexus 7 ("works fine" cases).
And - before you ask - I'm sure that the "right" CA is stored in the Android system certificate store in all the mentioned cases.
|
||
Comment 1•12 years ago
|
||
I'm pretty sure this varies by Android version. We don't intervene with the secure socket layer beyond specifying some parameters. Indeed, there's an open bug to intervene to allow self signed certs. I am also pretty sure that nothing changed in our HTTP layer between 14 and 15 that would affect this.
|
||
Comment 2•12 years ago
|
||
Possibly relevant: Bug 756763 and WONTFIX Bug 765064.
|
Reporter | |
Comment 3•12 years ago
|
||
Some clarifications and my workaround:
AFAICT this bug affects FF14 and FF15 on all lenovo roms (for the A1 tablet) I've seen so far; I don't know if non-lenovo roms (like e.g. CM7) are also affected (but I guess they are not).
Moreover, sync has worked in the past with versions older than FF14 - I'm guessing here (again), but I think sync was an internal part of FF back then and did use the FF internal certificate management (in contrast to the Android system one).
I'm using a workaround for my (rooted) device by now: I installed my CA into the Android system certificate management by coping it into /system/etc/security/cacerts/ on the device (mind you, this is an ICS rom without the old cacerts.bks thing). By looking at the already installed CAs, I guessed the file format and converted my pem like this:
#!/bin/sh
#CERT="${HOME}/.ssl/certs/emeraldcityca-cacert.pem"
CERT="${1}"; [ -r "${CERT}" ] || exit 1
CERT_HASH="$(cat "${CERT}" |openssl x509 -hash -noout).0"
{
# the cert itself
cat "${CERT}"
# cert info
cat "${CERT}" |openssl x509 -noout -text
# cert sha1 fingerprint
cat "${CERT}" |openssl x509 -noout -fingerprint
} >${CERT_HASH}
The CA is now recognized and appears in the list of trusted CAs on the device - and works like a charm for sync. As added bonus, I don't need to unlock the device by pin (which is required by Android if "user CAs" are installed).|
|
Reporter | |
Comment 4•12 years ago
|
||
One more comment: On my two other Android devices (mentioned above, ICE and JB) which sync to/from the same server without problems, only the CA is stored in the Android system certificate management thing, i.e. the workaround mentioned here: https://bugzilla.mozilla.org/show_bug.cgi?id=756763#c7 (storing also the derived certificate from the web server hosting weave) is not needed on these devices. I didn't check if the workaround would do the trick on the buggy lenovo tablet or not.
|
|
||
Comment 5•12 years ago
|
||
(In reply to Matthias Brill from comment #3) > Moreover, sync has worked in the past with versions older than FF14 - I'm > guessing here (again), but I think sync was an internal part of FF back then > and did use the FF internal certificate management (in contrast to the > Android system one). Correct. In XUL Fennec, Sync was pretty much identical to the desktop version, and used Necko. In Native Fennec, Sync uses the Java network layer, not Necko. > The CA is now recognized and appears in the list of trusted CAs on the > device - and works like a charm for sync. As added bonus, I don't need to > unlock the device by pin (which is required by Android if "user CAs" are > installed). Thanks for writing this up for others to find!
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•12 years ago
|
Priority: -- → P3
Summary: Sync (sometimes) doesn't use the certificates from the Android system certificate store (and sync doesn't work) → Sync doesn't use the certificates from the Android system certificate store on 4.0.4 on some devices
Whiteboard: [sync:scale]
|
Assignee | |
Updated•11 years ago
|
Product: Mozilla Services → Android Background Services
|
||
Updated•7 years ago
|
Product: Android Background Services → Firefox for Android
|
||
Comment 6•6 years ago
|
||
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195 Needinfo :susheel if you think this bug should be re-triaged.
Priority: P3 → P5
|
|
||
Comment 7•3 years ago
|
||
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
|
|
||
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•